Article Description

In October of 1995, Cisco Systems, Inc. began their first serious push into the Network Security market with the acquisition of NTI (Network Translation, Inc.). NTI’s flagship PIX firewall became the Cisco Secure PIX Firewall. From 1995 until 2000, there was one feature missing that frustrated security administrators greatly: secure remote access. Although the PIX Firewall allows Telnet access to its CLI (command line interface), the PIX OS will not allow Telnet to hosts on the outside interface because of the threat of password interception. In 2000, Cisco introduced version 5.2 of the PIX OS. One of the most notable features of 5.2 was support for the new faster and more scalable PIX 525 Firewall. Another feature that received less fanfare, SSH or Secure Shell, proved to be very important to Security Administrators who were tired of driving to the office to make changes to their PIX. SSH uses either DES or 3DES to encrypt the entire session to the PIX; and as such, it was deemed safe to enable on the outside interface. David W. Chapman Jr. will demonstrate how to enable and troubleshoot SSH access to your PIX in an easy to follow step-by-step process.

Like this article? We recommend

In this article, I'd like to share one of Cisco's solutions to the ever-vexing issue of secure remote management of the PIX Firewall. There will always be a need for administrators and managed service providers to access remote PIX Firewalls for monitoring, configuration, and troubleshooting. But because Telnet sends data in plain text, the designers of the PIX coded the PIX OS to disallow even the possibility of configuring telnet access to the outside (Public) interface. So, with Telnet unavailable, what can you do?

Cisco provides two mechanisms to securely access your PIX Firewall over an insecure medium, such as the Internet. The first is secure shell or SSH. The second is IPSec. If your only need for encryption is to secure access to the PIX CLI (command line interface), SSH is much more straightforward to configure and manage. This article discusses how to configure SSH on the PIX Firewall and how to obtain a SSH client.

SSH (Secure Shell) is a program to log into another computer over a network, to execute commands in a remote machine, and to move files from one machine to another. It provides strong authentication and secure communications over insecure networks. From the SSH Internet Draft at http://www.free.lp.se/fish/rfc.txt

The use of SSH provides a more secure alternative to telnet, which sends all data in plain text. In a SSH session, all data, including the initial sign-on and password submission, is encrypted using DES or 3DES symmetric block cipher. Both the client and server have generated RSA Public/Private Key pairs. Before the username/password is sent to the PIX, the client and the server exchange Public Keys. The PIX Firewall (acting as the SSH server) generates a session key and encrypts it with the client's RSA public key. Then, the client and server encrypt both the login authentication and all subsequent packets using the session key.

Note

The Cisco Secure PIX Firewall implements SSH v1. Although there have been many articles and papers written about vulnerabilities in SSH v1, the PIX Firewall is not vulnerable to either Traffic Analysis or Key Recovery exploits. There was a CRC-32 vulnerability, but it was patched in versions 5.2(6) and 5.3(2). All future releases of the PIX OS contain the CRC-32 fix. Another enhancement Cisco provides is the ability to add AAA authentication of the SSH session using TACACS+ or RADIUS.

Configuring the PIX for SSH Access

There are two sets of tasks you need to complete to use SSH to access your PIX: